TRUSTe to certify mobile applications

SECURITY

Published 4:00 am, Sunday, November 28, 2010

After more than a decade of certifying that websites are safeguarding users' privacy, TRUSTe Inc. is moving into an area that it says is even riskier: mobile phone applications.

People take their phones for granted, says Chris Babel, chief executive officer of San Francisco's TRUSTe. The trouble is, mobile applications can tap into the phone's capabilities to monitor your every move.

"With the wrong app, you realize that it's a GPS tracking device," he said.

TRUSTe, which began as a nonprofit enterprise in 1997 and switched to a for-profit business two years ago, wants to reassure users that apps are safe - while opening up a lucrative new market for itself. It announced plans in September to sell certificates to companies that vouch for an app's privacy protection. TRUSTe has since signed up more than a dozen customers, including GoDaddy.com Inc., Weather Channel Interactive Inc. and Yelp Inc.

Until now, TRUSTe and rivals such as Symantec Corp. and VeriSign Inc. have focused on websites accessed on personal computers. The companies offer seals of approval that customers place on their sites - something like a Better Business Bureau certificate - to show that people can safely shop there and share their personal information.

Attractive to scammers

The growth of smart phones and mobile apps has attracted scammers, who once stuck mostly to PCs, said Maribel Lopez, founder of Lopez Research LLC in San Francisco, which tracks the mobile industry. That includes phishers, who try to coax people into revealing personal information by making a message or website look as if it came from a real company, such as a bank.

"The people that do malware, or phishing, haven't been bothering with mobile to the same extent as they had with other PC platforms," she said. "Well, all that's changing now, because everyone has a mobile device, if not several."

More than a third of Americans now access the Internet on their mobile phones, according to an October survey by the National Cyber Security Alliance and Symantec. Less than half of respondents said they felt very or somewhat safe. Almost a quarter said they use apps that track their location, and 12 percent regularly use their mobile phones for banking.

While TRUSTe provides a seal of approval for an app's privacy policies, it doesn't offer a guarantee of security. That means a user's credit card could still be stolen. It also isn't alone in verifying that apps protect users. Apple Inc., which runs the biggest app store, does its own vetting of software developers.

'Thorough process'

"We have a very thorough approval process and review every app," said Natalie Harrison, a spokeswoman for Apple in Cupertino. "We also check the identities of every developer, and if we ever find anything malicious, the developer will be removed from the iPhone Developer Program and their apps can be removed from the App Store."

Apple has more than 300,000 apps, and users have downloaded more than 7 billion of them to their iPhones, iPod Touches and iPads, Harrison said.

Microsoft Corp. and Google Inc., which also run app stores, have their own approaches. Microsoft uses a multistep process that requires app publishers to get their identity verified, said Todd Brix, a senior director at the company. Then Microsoft reviews and tests the app for five days before publishing it.

Symantec provides the identity-verification and code-signing certificates for Microsoft, through a business it purchased from VeriSign this year for $1.28 billion.

"That's what we believe is good practice," said Tim Callan, head of Symantec's trust-services product marketing. The store for Google's Android apps doesn't require that, he said.

"The Android platform allows what we call self-signed code," meaning the app publishers themselves vouch for it, Callan said. That makes it more vulnerable to outside attacks, he said. "That is a bad model, an untrustworthy model."

Certain types of apps are riskier than others, said Mandeep Khera, chief marketing officer of Cenzic Inc. in Santa Clara, a seller of security software for Web applications.

"It's OK to play games," he said. "But when you're dealing with your personal finances, and very confidential information that hackers are drooling over, I would stay away from those applications for now."

Checking software

Some apps promise to scan programs on phones for potentially harmful software. Symantec's Norton Mobile Security app, for instance, works with Android. The free program has been downloaded 40,000 times.

San Francisco's Lookout Inc., which has raised more than $15 million since its founding a year ago, also offers such an app. It works on Android, BlackBerry and Windows Mobile phones. The company has more than 3 million registered users.

TRUSTe may be able to carve out its own niche, as long as it can assure users that apps keep tight control over their personal information, said Chenxi Wang, an analyst at Forrester Research Inc.

"There is a value to be added there," she said.

Babel, who was named CEO of TRUSTe almost a year ago, came from VeriSign's worldwide authentication services business. TRUSTe will generate $10 million or more in revenue this year, he said.

The closely held company, which raised $12 million in funding in June, will continue to provide seals to websites. Prices for certification seals depend on the size of the organization and can range from $500 to more than $100,000, Babel said. TRUSTe has certified 3,000 websites.

Yelp, a review site for local businesses, signed up for TRUSTe's app certificate because it gives users an easier way to see its privacy policy, said company spokeswoman Stephanie Ichinose. Among other things, its policy prohibits unauthorized access of users' data.

"It helps people understand pretty clearly and quickly," she said.

Latest from the SFGATE homepage:

Click below for the top news from around the Bay Area and beyond. Sign up for our newsletters to be the first to learn about breaking news and more. Go to 'Sign In' and 'Manage Profile' at the top of the page.